Software services provider Ivanti is warning about a new critical zero-day flaw affecting Ivanti Sentry (formerly MobileIron Sentry), which it says is being actively exploited in the wild, indicating an increase in its security problems.
Tracked as CVE-2023-38035 (CVSS score: 9.8), the issue is described as a case of authentication bypass affecting version 9.18 and earlier, caused by insufficient HTTPD configuration is characterized by restrictive Apache calls.
“If exploited, this vulnerability would enable an unauthenticated actor to access certain sensitive APIs used to configure Ivanti Sentry on the Administrator Portal (port 8443, typically MICS),” the company said.”
“Although this issue has a high CVSS score, the risk of exploitation is low for clients that do not expose port 8443 to the Internet.”
Successful use of the bug could allow an attacker to change configuration, run system commands, or write files on the system. It is recommended that users limit access to MICS to the internal management network.
Although exact details about the nature of the exploit are currently unknown, the company said it is “only aware of a limited number of customers” who have been affected.
Norwegian cyber security company mnemonic has been credited with discovering and reporting the flaw.
“Successful exploitation allows an unauthenticated threat actor to read and write files to the Ivanti Sentry server and execute OS commands as system administrator (root) through use of ‘super user do’ (sudo),” it said.
In addition, CVE-2023-38035 can be weaponized after exploiting CVE-2023-35078 and CVE-2023-35081, two other recently discovered vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), In scenarios where port 8443 is not publicly accessible. Admin Portal is used to communicate with the Ivanti EPMM Server.
The development comes a week after Ivanti fixed two critical stack-based buffer overflow flaws (CVE-2023-32560) in its Avalanche software that could lead to crashes and arbitrary code execution on vulnerable installations.
UPDATE
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added CVE-2023-38035 to its its Known Exploited Vulnerabilities (KEV) catalog, alongside CVE-2023-27532, a critical bug in Veeam Backup & Replication software, following active in-the- wild exploitation.
Federal Civilian Executive Branch (FCEB) agencies are required to apply the patch by September 12, 2023, to secure their networks against potential cyber attacks.